Adding the token to the form

» Note: the &key property needs to match the &csrfKey property we add to the FormIt snippet call in a minute.

For sensitive forms, you can also add a &singleUse property with value 1 that ensures each request gets a unique CSRF token. If you leave this out, the token for the form is the same for up to 24 hours.

To show the error when the CSRF token does not match, or if it can't be securely generated on your server, add the following in an appropriate place in your form:

Validating the token with a hook

Now that we're submitting the token, we should also validate it. We do this with the csrfhelper_formit hook.

In the FormIt snippet call, add the csrfhelper_formit to your &hooks property.

Also add the &csrfKey property with the key for the CSRF token; this should be unique for each unique form and match the &key in the csrfhelper snippet call. In the example above, this was set to simple-form.